Respect all members: no insults, harassment, or hate speech.
Be tolerant of different viewpoints, cultures, and beliefs. If you do not agree with others, just create separate note, article or collection.
Clearly distinguish between personal opinion and fact.
Verify facts before posting, especially when writing about history, science, or statistics.
Promotional content must be published on the “Related Services and Products” page—no more than one paragraph per service. You can also create subpages under the “Related Services and Products” page and publish longer promotional text there.
Do not post materials that infringe on copyright without permission.
Always credit sources when sharing information, quotes, or media.
Be respectful of the work of others when making changes.
Discuss major edits instead of removing others' contributions without reason.
If you notice rule-breaking, notify community about it in talks.
Do not share personal data of others without their consent.
In cryptography, a cipher (or cypher) is an algorithm for performing encryption or decryption—a series of well-defined steps that can be followed as a procedure. An alternative, less common term is encipherment. To encipher or encode is to convert information into cipher or code. In common parlance, "cipher" is synonymous with "code", as they are both a set of steps that encrypt a message; however, the concepts are distinct in cryptography, especially classical cryptography.
Codes generally substitute different length strings of characters in the output, while ciphers generally substitute the same number of characters as are input. A code maps one meaning with another. Words and phrases can be coded as letters or numbers. Codes typically have direct meaning from input to key. Codes primarily function to save time. Ciphers are algorithmic. The given input must follow the cipher's process to be solved. Ciphers are commonly used to encrypt written information.
Codes operated by substituting according to a large codebook which linked a random string of characters or numbers to a word or phrase. For example, "UQJHSE" could be the code for "Proceed to the following coordinates.". When using a cipher the original information is known as plaintext, and the encrypted form as ciphertext. The ciphertext message contains all the information of the plaintext message, but is not in a format readable by a human or computer without the proper mechanism to decrypt it.
The operation of a cipher usually depends on a piece of auxiliary information, called a key (or, in traditional NSA parlance, a cryptovariable). The encrypting procedure is varied depending on the key, which changes the detailed operation of the algorithm. A key must be selected before using a cipher to encrypt a message, with some exceptions such as ROT13 and Atbash.
Most modern ciphers can be categorized in several ways:
By whether they work on blocks of symbols usually of a fixed size (block ciphers), or on a continuous stream of symbols (stream ciphers).
By whether the same key is used for both encryption and decryption (symmetric key algorithms), or if a different key is used for each (asymmetric key algorithms). If the algorithm is symmetric, the key must be known to the recipient and sender and to no one else. If the algorithm is an asymmetric one, the enciphering key is different from, but closely related to, the deciphering key. If one key cannot be deduced from the other, the asymmetric key algorithm has the public/private key property and one of the keys may be made public without loss of confidentiality.
Originating from the Sanskrit word for zero शून्य (śuṇya), via the Arabic word صفر (ṣifr), the word "cipher" spread to Europe as part of the Arabic numeral system during the Middle Ages. The Roman numeral system lacked the concept of zero, and this limited advances in mathematics. In this transition, the word was adopted into Medieval Latin as cifra, and then into Middle French as cifre. This eventually led to the English word cipher (also spelt cypher). One theory for how the term came to refer to encoding is that the concept of zero was confusing to Europeans, and so the term came to refer to a message or communication that was not easily understood.[1]
The term cipher was later also used to refer to any Arabic digit, or to calculation using them, so encoding text in the form of Arabic numerals is literally converting the text to "ciphers".
In casual contexts, "code" and "cipher" can typically be used interchangeably; however, the technical usages of the words refer to different concepts. Codes contain meaning; words and phrases are assigned to numbers or symbols, creating a shorter message.
An example of this is the commercial telegraph code which was used to shorten long telegraph messages which resulted from entering into commercial contracts using exchanges of telegrams.
Another example is given by whole word ciphers, which allow the user to replace an entire word with a symbol or character, much like the way written Japanese utilizes Kanji (meaning Chinese characters in Japanese) characters to supplement the native Japanese characters representing syllables. An example using English language with Kanji could be to replace "The quick brown fox jumps over the lazy dog" by "The quick brown 狐 jumps 上 the lazy 犬". Stenographers sometimes use specific symbols to abbreviate whole words.
Ciphers, on the other hand, work at a lower level: the level of individual letters, small groups of letters, or, in modern schemes, individual bits and blocks of bits. Some systems used both codes and ciphers in one system, using superencipherment to increase the security. In some cases the terms codes and ciphers are used synonymously with substitution and transposition, respectively.
Historically, cryptography was split into a dichotomy of codes and ciphers, while coding had its own terminology analogous to that of ciphers: "encoding, codetext, decoding" and so on.
However, codes have a variety of drawbacks, including susceptibility to cryptanalysis and the difficulty of managing a cumbersome codebook. Because of this, codes have fallen into disuse in modern cryptography, and ciphers are the dominant technique.
There are a variety of different types of encryption. Algorithms used earlier in the history of cryptography are substantially different from modern methods, and modern ciphers can be classified according to how they operate and whether they use one or two keys.
Visual representation of how Caesar's Cipher works.
The Caesar Cipher is one of the earliest known cryptographic systems. Julius Caesar used a cipher that shifts the letters in the alphabet in place by three and wrapping the remaining letters to the front to write to Marcus Tullius Cicero in approximately 50 BC.[citation needed]
Historical pen and paper ciphers used in the past are sometimes known as classical ciphers. They include simple substitution ciphers (such as ROT13) and transposition ciphers (such as a Rail Fence Cipher). For example, "GOOD DOG" can be encrypted as "PLLX XLP" where "L" substitutes for "O", "P" for "G", and "X" for "D" in the message. Transposition of the letters "GOOD DOG" can result in "DGOGDOO". These simple ciphers and examples are easy to crack, even without plaintext-ciphertext pairs.[2][3]
In the 1640s, the Parliamentarian commander, Edward Montagu, 2nd Earl of Manchester, developed ciphers to send coded messages to his allies during the English Civil War.[4] The English theologian John Wilkins published a book in 1641 titled "Mercury, or The Secret and Swift Messenger" and described a musical cipher wherein letters of the alphabet were substituted for music notes.[5][6] This species of melodic cipher was depicted in greater detail by author Abraham Rees in his book Cyclopædia (1778).[7]
Simple ciphers were replaced by polyalphabetic substitution ciphers (such as the Vigenère) which changed the substitution alphabet for every letter. For example, "GOOD DOG" can be encrypted as "PLSX TWF" where "L", "S", and "W" substitute for "O". With even a small amount of known or estimated plaintext, simple polyalphabetic substitution ciphers and letter transposition ciphers designed for pen and paper encryption are easy to crack.[8] It is possible to create a secure pen and paper cipher based on a one-time pad, but these have other disadvantages.
During the early twentieth century, electro-mechanical machines were invented to do encryption and decryption using transposition, polyalphabetic substitution, and a kind of "additive" substitution. In rotor machines, several rotor disks provided polyalphabetic substitution, while plug boards provided another substitution. Keys were easily changed by changing the rotor disks and the plugboard wires. Although these encryption methods were more complex than previous schemes and required machines to encrypt and decrypt, other machines such as the British Bombe were invented to crack these encryption methods.
In a symmetric key algorithm (e.g., DES and AES), the sender and receiver must have a shared key set up in advance and kept secret from all other parties; the sender uses this key for encryption, and the receiver uses the same key for decryption. The design of AES (Advanced Encryption System) was beneficial because it aimed to overcome the flaws in the design of the DES (Data encryption standard). AES's designer's claim that the common means of modern cipher cryptanalytic attacks are ineffective against AES due to its design structure.
Ciphers can be distinguished into two types by the type of input data:
block ciphers, which encrypt block of data of fixed size, and
stream ciphers, which encrypt continuous streams of data.
In a pure mathematical attack, (i.e., lacking any other information to help break a cipher) two factors above all count:
Computational power available, i.e., the computing power which can be brought to bear on the problem. It is important to note that average performance/capacity of a single computer is not the only factor to consider. An adversary can use multiple computers at once, for instance, to increase the speed of exhaustive search for a key (i.e., "brute force" attack) substantially.
Key size, i.e., the size of key used to encrypt a message. As the key size increases, so does the complexity of exhaustive search to the point where it becomes impractical to crack encryption directly.
Since the desired effect is computational difficulty, in theory one would choose an algorithm and desired difficulty level, thus decide the key length accordingly.
Claude Shannon proved, using information theory considerations, that any theoretically unbreakable cipher must have keys which are at least as long as the plaintext, and used only once: one-time pad.[9]
Ho, Yean Li; Samsudin, Azman; Belaton, Bahari (2005). Heuristic Cryptanalysis of Classical and Modern Ciphers. 2005 13th IEEE International Conference on Networks, Jointly held with the 2005 IEEE 7th Malaysia International Conference on Communication. Vol. 2. Kuala Lumpur: IEEE. pp. 710–715. doi:10.1109/ICON.2005.1635595.
A cipher is a cryptographic algorithm consisting of an encryption function that transforms plaintext into ciphertext using a secret key, and a corresponding decryption function that reverses the process to recover the original message, ensuring that only authorized parties can access the information.[1] Ciphers form the core of cryptography, the practice of securing communications and data by disguising their content from unauthorized observers.[2]The use of ciphers dates back thousands of years, with early examples including Egyptian hieroglyphic substitutions around 1900 BC and the Spartan scytale, a transposition device for wrapping messages around a cylinder to obscure them, employed around 400 BC.[3] One of the earliest documented substitution ciphers is the Caesar cipher, attributed to Julius Caesar (100–44 BC), which shifts each letter in the alphabet by a fixed number of positions, such as three, to encode messages for military communications.[4] Over centuries, ciphers evolved through polyalphabetic methods like the Vigenère cipher in the 16th century, which uses a keyword to vary the substitution and resist frequency analysis, and mechanical devices like the Enigma machine during World War II, which employed rotors for complex permutations but was ultimately broken by Allied cryptanalysts.[5]Ciphers are broadly classified into symmetric and asymmetric types based on key usage. Symmetric ciphers, such as the Data Encryption Standard (DES) introduced in 1977, employ the same secret key for both encryption and decryption, offering efficiency for bulk data but requiring secure key exchange.[1] Asymmetric ciphers, also known as public-key systems, use a pair of keys—a public key for encryption and a private key for decryption—enabling secure communication without prior key sharing; this paradigm was pioneered in 1976 by Diffie-Hellman key exchange and Rivest-Shamir-Adleman (RSA) algorithms.[6]In the modern era, ciphers underpin digital security across applications like secure web browsing (HTTPS), email encryption, and blockchain technology. The Advanced Encryption Standard (AES), a symmetric block cipher selected by the U.S. National Institute of Standards and Technology (NIST) in 2001 after a global competition, supports key sizes of 128, 192, or 256 bits and is mandated for protecting sensitive government data due to its resistance to known attacks.[7] As computational power grows and quantum computing emerges, NIST has standardized initial post-quantum cryptographic algorithms, including ML-KEM, ML-DSA, and SLH-DSA in 2024, with further selections like HQC in 2025, to safeguard against quantum threats and support the evolution of cryptographic protections.[8][9]
Etymology and Terminology
Etymology
The word cipher originates from the Arabic ṣifr (صِفْر), meaning "zero" or "empty," a term used in the Arabic numeral system to denote the absence of value. This entered Latin as cifra around the 12th century and Old French as cifre (modern French chiffre), before being adopted into Middle English in the late 14th century, where it initially referred to the numeral zero, an arithmetic symbol, or a record of numerical calculation.[10][11]The earliest documented use of cipher in English appears in 1399 in the writings of poet William Langland, denoting a numerical figure, though it gained prominence in literary contexts by the late 14th century, as seen in works by Geoffrey Chaucer, who referenced numerals in a similar vein around 1386. By the 16th century, the term's meaning expanded significantly in English to encompass secret writing or encryption, with the first recorded sense of a "secret code" appearing in the 1520s, reflecting growing interest in concealing messages amid political and diplomatic intrigue.[12][10]Related terminology in cryptography also draws from ancient roots. Cryptography derives from the Greek kryptós ("hidden") and gráphein ("to write"), coined in the mid-17th century via Latin and French to describe the practice of hidden writing. Similarly, code stems from Latin codex (from caudex, "tree trunk" or "block of wood," referring to early inscribed law tablets), entering Old French as code in the 13th century and English around 1300 to mean a systematic collection of rules or symbols, later applied to cryptographic substitutions at the level of words or phrases.[13][14][15]Over time, cipher evolved from a mere placeholder for zero in medieval European mathematics—introduced via Arabic scholars—to a symbol for intricate systems of secret communication during the Renaissance, when cryptographic techniques proliferated in Europe. This linguistic shift paralleled practical developments, such as the Caesar cipher, an ancient Roman substitution method that exemplified early encoded messaging.[10][16]
Key Terminology
In cryptography, the foundational elements of a cipher involve transforming readable data into a secure form and back. Plaintext refers to the original, unencrypted message or data that is intended for transmission or storage.[17] Ciphertext is the encrypted output produced from the plaintext, rendering it unintelligible without the proper reversal process.[17] The key is a secret parameter used in conjunction with a cryptographic algorithm to control the encryption and decryption operations, enabling only authorized parties to recover the original data.[18] Encryption denotes the process of converting plaintext into ciphertext using an algorithm and key, thereby concealing the data's meaning.[19] Decryption is the inverse operation, transforming ciphertext back into plaintext via the same or a related key and algorithm.[20]Ciphers are categorized by their key management and operational mechanisms. Symmetric cryptography employs a single key for both encryption and decryption, ensuring efficiency but requiring secure key distribution between parties.[21] In contrast, asymmetric cryptography utilizes a pair of related keys—a public key for encryption or signature verification, and a private key for decryption or signing—facilitating secure communication without prior key exchange.[22] Block ciphers process data in fixed-size blocks, typically 64 or 128 bits, applying the algorithm to each block independently or in modes that chain them.[23] Stream ciphers, however, generate a keystream that is combined with the plaintext bit-by-bit or byte-by-byte, suitable for continuous data flows without fixed block boundaries.[24]Many ciphers rely on modulo arithmetic as a mathematical foundation, where operations are performed within a finite set of residues from 0 to n-1, with results wrapping around upon exceeding n; this enables efficient computations in cyclic groups essential for encryption functions like modular addition.[25] Claude Shannon's principles of confusion and diffusion underpin secure cipher design: confusion obscures the statistical relationship between the key and ciphertext, making it difficult to deduce the key from observed outputs, while diffusion ensures that changes in a single plaintext bit influence many ciphertext bits, dissipating statistical patterns across the output.
Glossary of Key Terms
Nonce: A number used only once in a cryptographic communication to ensure uniqueness and prevent replay attacks, often serving as an input to modes of operation.[26]
Initialization Vector (IV): A fixed-length, random or pseudo-random value used in conjunction with a key to initialize a cipher mode, ensuring that identical plaintexts produce different ciphertexts; it functions as a nonce in many contexts.[26]
Padding: Additional data appended to plaintext to align its length with the block size requirements of a block cipher, standard schemes like PKCS#7 ensure reversibility during decryption.[26]
Keystream: A pseudo-random bit sequence generated by a stream cipher, which is combined (typically via XOR) with plaintext to produce ciphertext.[24]
Mode of Operation: A specification defining how a block cipher processes multiple blocks, such as ECB for independent blocks or CBC for chained dependencies, to achieve security properties like confidentiality.[26]
Cryptographic Algorithm: A mathematical procedure or function that, given a key, performs encryption or decryption; examples include AES for symmetric operations.[18]
Public Key: In asymmetric systems, the openly shared component of a key pair used for encryption or verification, derived from but not revealing the private key.[22]
Private Key: The confidential component of an asymmetric key pair, used for decryption or signing, kept secret by its owner.[22]
Substitution: A transformation in a cipher that replaces plaintext elements with ciphertext ones based on the key, contributing to confusion.
Permutation: A reordering of data elements within a cipher block, promoting diffusion by spreading influences across positions.
Ciphers Versus Codes
Core Distinctions
A cipher involves a rule-based mathematical transformation applied to plaintext using a secret key, producing ciphertext that can be reversibly decrypted only with the same key. In contrast, a code substitutes entire words, phrases, or symbols with predefined equivalents, typically via a codebook or lookup table, and decryption requires access to that reference without relying on a computational key.The core differences lie in their structures and functions: ciphers operate algorithmically and depend on keys to enable automated encryption and decryption through computation, whereas codes use semantic mappings in lookup tables that emphasize obscurity over mathematics.[27] Ciphers protect messages against interception by leveraging computational secrecy, making them suitable for systematic security, while codes rely on the hidden nature of their substitutions, often prioritizing brevity or deception in non-technical contexts.[28]Theoretically, ciphers can achieve perfect secrecy, as defined by Claude Shannon, where the ciphertext provides no information about the plaintext without the key, provided the key is randomly selected and at least as long as the message.[29] Codes, however, do not inherently support this level of secrecy, as their fixed mappings can leak patterns or meanings even without the full reference.[29]Ciphers offer scalability for digital and large-scale applications due to their algorithmic nature, facilitating efficient implementation in software and hardware. Codes, by comparison, are simpler for manual use in small operations but become cumbersome to manage at scale owing to the need for distributing and maintaining extensive reference materials.
Illustrative Examples
A classic example of a cipher is the Caesar cipher, a monoalphabetic substitution method where each letter in the plaintext is shifted by a fixed number of positions in the alphabet. For a shift of 3, the plaintext message "HELLO" encrypts to "KHOOR" by mapping A to D, B to E, C to F, and so forth, wrapping around from Z to A if necessary. Decryption applies the inverse shift of 23 positions (or equivalently, subtract 3), restoring "KHOOR" to "HELLO"; this process relies solely on the shift value as the key and operates algorithmically on individual symbols.In contrast, a code employs a pre-agreed codebook to replace entire words, phrases, or concepts with arbitrary symbols or words, without altering the structure of the message symbols. A typical military codebook might substitute words like "attack" with "EAGLE" and "dawn" with another term, enabling brevity and secrecy in communications; decoding demands possession of the complete codebook to map back to meanings, as there is no underlying algorithm to apply.To demonstrate the core distinctions, consider encrypting the message "MEET AT DAWN." Under the Caesar cipher with a shift of 3, it transforms letter-by-letter into "PHHW DG'DZQ," systematically altering symbols via the key without regard to semantic units. By comparison, a codebook approach might replace the full phrase "MEET AT DAWN" with "FALCON," a direct substitution of the meaning drawn from lookup tables, underscoring ciphers' reliance on algorithmic symbol manipulation versus codes' dependence on referential mappings.[30]Modern non-secret applications of codes, such as ZIP codes in postal systems, illustrate the lookup principle by mapping numeric sequences (e.g., 90210) to specific locations via standardized tables, akin to codebooks but serving organization rather than confidentiality. In cryptographic contexts, systems like the one-time pad—often viewed as a hybrid due to its key distribution—remain classified as a cipher, as it applies a random key stream algorithmically to the plaintext (typically via modular addition or XOR) for encryption, ensuring security through the key's secrecy and single use rather than phrase substitutions.[31]Codes exhibit significant limitations in security, as capturing the codebook compromises the entire system by exposing all mappings at once, rendering further messages immediately intelligible to adversaries. Ciphers, however, resist compromise if the key remains undisclosed, since the transformation rules alone yield no meaningful information without it, allowing reuse of the algorithm across messages with varying keys.[32]
Types of Ciphers
Historical Ciphers
The earliest known uses of ciphers trace back to ancient civilizations, where substitution methods were employed to obscure messages. Around 1900 BCE, ancient Egyptians utilized hieroglyphic substitutions to conceal sensitive information, marking one of the first documented cryptographic practices in recorded history.[33] In ancient Greece, the Spartans developed the scytale around 400 BCE, a transposition cipher involving a cylindrical baton around which a strip of parchment was wrapped to encode a message; when unwrapped, the text appeared as a jumbled sequence, only readable when rewound on a matching cylinder of the same diameter.[34] This device facilitated secure military communications, leveraging physical alignment for decryption rather than linguistic transformation.[35]During the classical era, Roman and Greek innovations further advanced substitution techniques. The Caesar cipher, attributed to Julius Caesar in the 1st century BCE, employed a simple monoalphabetic shift where each letter in the plaintext was replaced by one three positions down the alphabet, creating a basic yet effective method for protecting military orders.[36] Complementing this, the Polybius square, devised in the 2nd century BCE by the Greek historian Polybius, organized the alphabet into a 5x5 grid to encode letters as pairs of numbers, enabling compact transmission via signals like torches or flags and serving both cryptographic and signaling purposes in warfare.[37]In the medieval and Renaissance periods, ciphers evolved toward greater complexity to counter emerging cryptanalytic methods. The Atbash cipher, a Hebrew mirror substitution dating to around 500 CE, reversed the alphabet to transform each letter into its opposite (e.g., A to Z, B to Y), often used in religious texts for symbolic or secretive encoding.[33] A significant leap came with the Vigenère cipher, first described by Giovan Battista Bellaso in 1553 and later popularized by Blaise de Vigenère in 1586; this polyalphabetic system used a keyword to select shifting alphabets, producing ciphertext via the modular addition of plaintext and key values, formalized asCi=(Pi+Kj)mod26where Ci is the ciphertext letter, Pi the plaintext letter, Kj the corresponding key letter, and indices cycle through the keyword. The mechanism relied on a tabula recta—a table of shifted alphabets—to align and encrypt, offering resistance to simple frequency analysis compared to monoalphabetic predecessors.[38]By the 19th century, manual ciphers incorporated digraph substitutions and mechanical precursors to later machines. The Playfair cipher, developed by Charles Wheatstone in 1854 and promoted by Baron Lyon Playfair, treated the alphabet as a 5x5 grid derived from a keyword, substituting pairs of letters (digraphs) based on their positions—replacing them with letters from the same row, column, or forming a rectangle—thus providing a manual digraphic encryption suited for telegraphic use.[39] Earlier mechanical concepts, such as rotating cylinders or wheels proposed in the late 18th and 19th centuries, foreshadowed rotor-based systems by enabling sequential substitutions, though they remained hand-operated and limited in scale.[40]Historical ciphers played pivotal roles in societal contexts, particularly warfare and literature, while their vulnerabilities spurred cryptanalytic advancements. In 16th-century Europe, nomenclators—hybrid systems combining substitution ciphers with codebooks for names and phrases—were employed by figures like Mary, Queen of Scots, to secure correspondence during political intrigues, though such messages were often intercepted and deciphered by rivals.[33] In literature, Edgar Allan Poe popularized cryptograms in the 19th century through stories like "The Gold-Bug" (1843), where he embedded solvable ciphers to engage readers and demonstrate frequency analysis, influencing public fascination with cryptography.[41] The limitations of these hand ciphers, vulnerable to linguistic patterns, prompted the emergence of cryptanalysis; notably, in the 9th century, Arab polymath Al-Kindi pioneered frequency analysis by tabulating letter occurrences in Arabic to break monoalphabetic substitutions, laying foundational principles for codebreaking.[42]The advent of computing in the 20th century marked the decline of manual historical ciphers, as electronic machines like the Enigma during World War II rendered hand methods obsolete for large-scale operations, shifting cryptography toward algorithmic and automated systems.[43]
Modern Ciphers
Modern ciphers, developed primarily in the late 20th and early 21st centuries, rely on computational complexity for security and are designed for digital systems, contrasting with earlier manual methods. These include symmetric block ciphers like the Data Encryption Standard (DES) and Advanced Encryption Standard (AES), which process data in fixed-size blocks using substitution and permutation operations. DES, standardized by the National Bureau of Standards in 1977, operates on 64-bit blocks with a 56-bit key and uses a Feistel network structure consisting of 16 rounds of expansion, substitution via S-boxes, and permutation.[44] Its relatively short key length made it vulnerable to brute-force attacks by the 1990s, leading to its eventual deprecation in favor of stronger alternatives.[45]AES, selected by the National Institute of Standards and Technology (NIST) in 2000 and published as Federal Information Processing Standard (FIPS) 197 in 2001, is based on the Rijndael algorithm submitted by Joan Daemen and Vincent Rijmen.[46] It supports 128-bit blocks and key sizes of 128, 192, or 256 bits, structured around 10, 12, or 14 rounds of operations including SubBytes (non-linear substitution with S-boxes), ShiftRows (permutation), MixColumns (linear mixing), and AddRoundKey (key XOR).[47] AES remains the dominant symmetric block cipher in use today due to its efficiency and resistance to known cryptanalytic attacks.[46]Stream ciphers, which generate a pseudorandom keystream to XOR with plaintext, are suited for real-time applications like network encryption. RC4, designed by Ron Rivest in 1987, produces a variable-length keystream from a key up to 256 bits using a state array and swapping mechanism, but it has been deprecated since the early 2010s due to biases in its output that enable practical attacks.[48] More secure alternatives include Salsa20, introduced by Daniel J. Bernstein in 2005, and its variant ChaCha from 2008, both 256-bit stream ciphers optimized for high-speed performance on resource-constrained devices like mobiles.[49] These use addition-rotation-XOR (ARX) operations in 20 rounds to produce keystreams resistant to cryptanalysis, with ChaCha particularly favored in protocols for its software efficiency.[50]Asymmetric ciphers enable secure key exchange without prior shared secrets, relying on mathematical problems like integer factorization. RSA, proposed by Ron Rivest, Adi Shamir, and Leonard Adleman in 1977, bases its security on the difficulty of factoring the product of two large primes.[51]Key generation involves selecting primes p and q, computing n=p×q as the modulus and ϕ(n)=(p−1)(q−1) as Euler's totient, then choosing public exponent e coprime to ϕ(n) with private exponent d such that d×e≡1(modϕ(n)); encryption computes ciphertext C=Memodn for message M, while decryption recovers M=Cdmodn.[51]Hybrid systems combine symmetric and asymmetric ciphers for efficiency and security in practical applications. Pretty Good Privacy (PGP), developed by Phil Zimmermann in 1991, employs asymmetric encryption (typically RSA) to securely exchange a symmetric key (like IDEA or AES), which then encrypts the bulk data.[52] Similarly, Transport Layer Security (TLS) version 1.3, standardized by the Internet Engineering Task Force (IETF) in RFC 8446 in 2018, integrates hybrid mechanisms using asymmetric key exchange (e.g., Diffie-Hellman or RSA) followed by symmetric encryption with AES or ChaCha20 for session data. As of 2025, TLS implementations are incorporating post-quantum resistance through hybrid modes, as outlined in IETF drafts.[53]The advent of quantum computing poses existential threats to classical asymmetric ciphers like RSA and elliptic curve cryptography (ECC), primarily via Shor's algorithm from 1994, which efficiently solves integer factorization and discrete logarithm problems on a sufficiently large quantum computer. This motivates post-quantum cryptography (PQC), with NIST having finalized initial standards in 2024 (including FIPS 203 for ML-KEM based on CRYSTALS-Kyber, which uses learning-with-errors problems for secure key exchange, FIPS 204 for ML-DSA, and FIPS 205 for SLH-DSA based on hash-based signatures such as SPHINCS+) and selecting additional algorithms like HQC for standardization in March 2025.[54][55][9]Standardization ensures interoperability and security; NIST plays a central role, as with FIPS 197 for AES, while the IETF governs protocol integration, such as cipher suites in TLS.[46] These bodies continue to evolve standards to address emerging threats, including quantum risks.[53]
Security Considerations
Key Size and Strength
The key space of a cipher refers to the total number of possible keys, which for a symmetric cipher with a k-bit key length is 2k. A brute-force attack attempting to recover the key by exhaustive search would require, on average, 2k−1 trials, leading to a time complexity of O(2k) operations.[56]The strength of a cipher is often quantified by its effective security level in bits, representing the minimum computational effort (in binary logarithm terms) an adversary would need to break it via the most efficient known attack, typically brute force for well-designed ciphers. For instance, a 128-bit security level implies approximately 2128 operations are required, which remains infeasible with current and foreseeable classical computing resources. Moore's law, which historically doubles computing power approximately every 18-24 months, gradually erodes this effective strength by effectively reducing the security bits over time; estimates suggest a loss of about 1 bit of security every 1.5-2 years due to increased attack feasibility.[56][57]Historically, the Data Encryption Standard (DES) with its 56-bit key exemplified inadequate strength; in 1998, the Electronic Frontier Foundation's DES cracker machine broke a DES key in under 3 days using specialized hardware costing less than $250,000, demonstrating that 256 trials were feasible even then. In contrast, the Advanced Encryption Standard (AES) with 128-bit keys provides 128-bit security and is recommended by NIST for protection through at least 2030 and into the subsequent decade, while AES-256 offers 256-bit security suitable for long-term confidentiality needs beyond 2040.[58][59]For asymmetric ciphers, key sizes must be larger to achieve comparable security due to differing mathematical foundations. NIST guidelines equate a 2048-bit RSA modulus to approximately 112 bits of symmetric security (e.g., equivalent to 3-key Triple DES), while a 3072-bit RSA key reaches 128 bits; for elliptic curve cryptography (ECC), a 256-bit curve provides 128-bit security, offering efficiency advantages over RSA. The table below summarizes these equivalences based on NIST security strength ratings:
[56]Beyond key size, true strength depends on key generation processes ensuring full entropy equal to the key length—insufficient randomness can reduce the effective key space. Additionally, mechanisms like forward secrecy, achieved through ephemeral key generation in protocols such as ephemeral Diffie-Hellman, limit compromise to current sessions rather than past ones, enhancing overall system resilience independent of static key size.[56]The security level in bits can be formally defined as log2 of the adversary's required effort; for a symmetric cipher with key size k, this is k bits against brute force. For AES-256, exhaustive search demands 2256 trials, or roughly 1077 operations. At a hypothetical rate of 1018 operations per second (exceeding current supercomputer capabilities), the average time to find the key would be 2255/1018≈3.4×1051 years, far exceeding the age of the universe.[56][60]
Vulnerabilities and Cryptanalysis
Classical cryptanalysis encompasses techniques that exploit statistical properties of ciphers to recover plaintext without the key. Frequency analysis, a foundational method, targets monoalphabetic substitution ciphers by leveraging the non-uniform distribution of letters in natural languages, such as English where 'E' appears about 12.7% of the time, allowing cryptanalysts to map ciphertext frequencies to likely plaintext equivalents.In the 1990s, differential cryptanalysis emerged as a powerful attack on block ciphers like DES, developed by Eli Biham and Adi Shamir; it uses chosen plaintexts to identify high-probability differences propagating through rounds, exploiting S-box nonlinearities with success probabilities derived from differential distributions. Linear cryptanalysis, introduced by Mitsuru Matsui in 1993, complements this by approximating the cipher's nonlinear operations, such as S-boxes, with linear equations over GF(2, using known plaintexts to bias these approximations and recover keys through statistical correlation. Integral cryptanalysis, proposed by Lars Knudsen and David Wagner in 2002, extends these ideas to ciphers with integral properties, partitioning plaintexts into subsets where byte sums remain invariant across rounds, enabling key recovery on structures like substitution-permutation networks.[61]Side-channel attacks bypass mathematical weaknesses by observing physical implementations. Timing attacks, first detailed by Paul Kocher in 1996, exploit variations in execution time—such as modular exponentiation in RSA depending on key bits—to infer secrets from measurement precision as low as nanoseconds. Power analysis includes simple power analysis (SPA), which directly interprets consumption traces for data-dependent operations like conditional branches, and differential power analysis (DPA), a statistical method correlating multiple traces with hypothetical power models to extract keys with high confidence using Hamming weight leakages.[62]Fault injection attacks induce errors via voltage glitches or lasers to disrupt computations, revealing keys when faulty ciphertexts are compared to correct ones, as demonstrated on AES implementations.Quantum computing poses existential threats to current ciphers. Grover's algorithm reduces the effective security of symmetric ciphers from 2k to approximately 2k/2 operations by providing a quadratic speedup for unstructured search, necessitating at least 256-bit keys for 128-bit security. Shor's algorithm efficiently factors large integers, breaking RSA and ECC by solving the discrete logarithm problem in polynomial time on a sufficiently large quantum computer. In response, NIST's post-quantum cryptographystandardization aims for full migration of federal systems to quantum-resistant algorithms by 2035, with initial standards including ML-KEM (FIPS 203), ML-DSA (FIPS 204), and SLH-DSA (FIPS 205) finalized in 2024. In March 2025, NIST selected HQC as a fifth algorithm for standardization, with a draft standard expected in 2026 and finalization around 2027.[63][64]Implementation flaws often amplify theoretical vulnerabilities. The padding oracle attack, formalized by Serge Vaudenay in 2002, exploits servers that leak whether CBC padding is valid, allowing byte-by-byte decryption of ciphertexts through adaptive queries. Bleichenbacher's 1998 attack on PKCS#1 v1.5 padding in RSA uses similar oracle responses to forge signatures or decrypt by exploiting malleability in error messages. Weak random number generators, such as Dual_EC_DRBG, contained a deliberate backdoor revealed in 2013 via Snowden leaks, enabling prediction of outputs and compromise of keys in TLS handshakes.Mitigations emphasize rigorous design and verification. Provable security frameworks, like OAEP padding for RSA introduced by Mihir Bellare and Phillip Rogaway in 1994, achieve chosen-ciphertext security in the random oracle model by incorporating redundancy and randomization to prevent malleability attacks.[65] Regular security audits, including formal verification and penetration testing, identify flaws early, while transitioning to quantum-resistant algorithms such as lattice-based schemes (e.g., Kyber) ensures long-term resilience as standardized by NIST.
_Round_Function.png)
